diff --git a/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch b/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch new file mode 100644 index 0000000000000000000000000000000000000000..8c7d4cffb1b97e7c658619a4e3d723267285cfd0 --- /dev/null +++ b/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Thu, 19 Sep 2024 10:15:13 -0600 +Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit + +Stricker permissions are required on the grub.cfg file, resulting in +at most 0600 owner's file permissions. This resolves conflicting +requirement permissions on grub2-pc package's grub2.cfg file. + +Signed-off-by: Leo Sandoval +--- + util/grub-mkconfig.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index a1c00776d..573004915 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -317,7 +317,7 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg +- oldumask=$(umask); umask 077 ++ oldumask=$(umask); umask 177 + cat ${grub_cfg}.new > ${grub_cfg} + umask $oldumask + rm -f ${grub_cfg}.new diff --git a/20-grub.install b/20-grub.install index a05c15c5bceecef6c531acc2a01050640ae580f0..8c2a7dc9ba2c0e17cb1f50c65076da43419fccdb 100755 --- a/20-grub.install +++ b/20-grub.install @@ -90,13 +90,10 @@ case "$COMMAND" in [[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR" BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}" BLS_TARGET="${BLS_DIR}/${BLS_ID}.conf" - if [[ -f "${KERNEL_DIR}/bls.conf" ]]; then - cp -aT "${KERNEL_DIR}/bls.conf" "${BLS_TARGET}" || exit $? - else - mkbls "${KERNEL_VERSION}" \ - "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \ - >"${BLS_TARGET}" - fi + mkbls "${KERNEL_VERSION}" \ + "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \ + >"${BLS_TARGET}" + command -v restorecon &>/dev/null && restorecon -R "${BLS_TARGET}" LINUX="$(grep '^linux[ \t]' "${BLS_TARGET}" | sed -e 's,^linux[ \t]*,,')" INITRD="$(grep '^initrd[ \t]' "${BLS_TARGET}" | sed -e 's,^initrd[ \t]*,,')" @@ -109,7 +106,11 @@ case "$COMMAND" in sed -i -e "s,^initrd.*,initrd ${BOOTPREFIX}${INITRD},g" "${BLS_TARGET}" fi - if [[ "$KERNEL_VERSION" == *\+* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ]; then + if ( [[ "$KERNEL_VERSION" != *${GRUB_DEFAULT_KERNEL_TYPE}* ]] && \ + [ "x$GRUB_NON_STANDARD_KERNEL" == "xtrue" ] ) || \ + ( echo "$KERNEL_VERSION" | grep -E -q "64k|auto|rt|uki" && \ + [ "x$GRUB_NON_STANDARD_KERNEL" != "xtrue" ] ) || \ + ( [[ "$KERNEL_VERSION" == *debug* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ] ); then GRUB_UPDATE_DEFAULT_KERNEL=false fi diff --git a/dist b/dist index 9c0e36ec42a2d9bfefacb21ac6354c9ddd910533..1fe92cf0fdf9c2625d878a2ace258f64c1e8ca44 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_10 diff --git a/grub.macros b/grub.macros index 17afcbf9eace32c2960972385875142272b15826..07a0edd02ba5ec12be3b41c6f2656bf35759c7d4 100644 --- a/grub.macros +++ b/grub.macros @@ -409,8 +409,10 @@ done \ -p /EFI/BOOT -d grub-core \\\ --sbat %{4}./sbat.csv \\\ ${GRUB_MODULES} \ -%{expand:%%{pesign -s -i %%{2}.orig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}} \ -%{expand:%%{pesign -s -i %%{3}.orig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}} \ +%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.one -a %%{5} -c %%{6} -n %%{7}}} \ +%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.one -a %%{5} -c %%{6} -n %%{7}}} \ +%{expand:%%{pesign -s -i %%{2}.one -o %%{2} -a %%{8} -c %%{9} -n %%{10}}} \ +%{expand:%%{pesign -s -i %%{3}.one -o %%{3} -a %%{8} -c %%{9} -n %%{10}}} \ %{nil} %else %define efi_mkimage() \ @@ -595,14 +597,15 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig \ touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \ ln -sf ../default/grub \\\ ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \ -touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \ +touch grub.cfg \ +install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/ \ %{nil} %define define_legacy_variant_files() \ %{expand:%%files %{1}} \ %defattr(-,root,root,-) \ %config(noreplace) %{_sysconfdir}/%{name}.cfg \ -%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \ +%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ %ifarch ppc64le \ %dir %{_libdir}/grub/%{2}/ \ diff --git a/grub.patches b/grub.patches index f02beb93cb0f46e309d10a45020ec49d83bff6e1..124c51f46f37c24b43ae901ddbca09f9581704f7 100644 --- a/grub.patches +++ b/grub.patches @@ -588,7 +588,7 @@ Patch0587: 0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch - +Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch # Support loongarch64 #Patch1000: 1000-loongarch64-add-support.patch Patch1001: 1001-bls-make-list.patch diff --git a/grub2.spec b/grub2.spec index bea76fd7595d49cba7c2ff790cde8c629f213ddd..1ca9db805d6cb0fb0480cef339c685da9cd2458c 100644 --- a/grub2.spec +++ b/grub2.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.2 +%define anolis_release .0.1 %undefine _hardened_build %global tarversion 2.02 @@ -9,28 +9,27 @@ %global _configure_gnuconfig_hack 1 %endif -Name: grub2 -Epoch: 1 -Version: 2.02 -Release: 150%{anolis_release}%{?dist} -Summary: Bootloader with support for Linux, Multiboot and more -Group: System Environment/Base -License: GPLv3+ -URL: http://www.gnu.org/software/grub/ -Obsoletes: grub < 1:0.98 -Source0: ftp://alpha.gnu.org/gnu/grub/grub-%{tarversion}.tar.xz +Name: grub2 +Epoch: 1 +Version: 2.02 +Release: 158%{anolis_release}%{?dist} +Summary: Bootloader with support for Linux, Multiboot and more +Group: System Environment/Base +License: GPLv3+ +URL: http://www.gnu.org/software/grub/ +Obsoletes: grub < 1:0.98 +Source0: ftp://alpha.gnu.org/gnu/grub/grub-%{tarversion}.tar.xz #Source0: ftp://ftp.gnu.org/gnu/grub/grub-%%{tarversion}.tar.xz -Source1: grub.macros -Source2: grub.patches -Source3: release-to-master.patch -Source4: http://unifoundry.com/unifont-5.1.20080820.pcf.gz -Source5: theme.tar.bz2 -Source6: gitignore -Source8: strtoull_test.c -Source9: 20-grub.install -Source12: 99-grub-mkconfig.install -Source19: sbat.csv.in - +Source1: grub.macros +Source2: grub.patches +Source3: release-to-master.patch +Source4: http://unifoundry.com/unifont-5.1.20080820.pcf.gz +Source5: theme.tar.bz2 +Source6: gitignore +Source8: strtoull_test.c +Source9: 20-grub.install +Source12: 99-grub-mkconfig.install +Source19: sbat.csv.in %include %{SOURCE1} @@ -52,33 +51,33 @@ Source19: sbat.csv.in # generate with do-rebase %include %{SOURCE2} -BuildRequires: gcc efi-srpm-macros -BuildRequires: flex bison binutils python3-devel -BuildRequires: ncurses-devel xz-devel bzip2-devel -BuildRequires: freetype-devel libusb-devel -BuildRequires: rpm-devel -BuildRequires: rpm-devel rpm-libs -BuildRequires: autoconf automake autogen device-mapper-devel -BuildRequires: freetype-devel gettext-devel git -BuildRequires: texinfo -BuildRequires: dejavu-sans-fonts -BuildRequires: help2man +BuildRequires: gcc efi-srpm-macros +BuildRequires: flex bison binutils python3-devel +BuildRequires: ncurses-devel xz-devel bzip2-devel +BuildRequires: freetype-devel libusb-devel +BuildRequires: rpm-devel +BuildRequires: rpm-devel rpm-libs +BuildRequires: autoconf automake autogen device-mapper-devel +BuildRequires: freetype-devel gettext-devel git +BuildRequires: texinfo +BuildRequires: dejavu-sans-fonts +BuildRequires: help2man # For %%_userunitdir macro -BuildRequires: systemd +BuildRequires: systemd %ifarch %{efi_arch} -BuildRequires: pesign >= 0.99-8 +BuildRequires: pesign >= 0.99-8 %endif %if %{?_with_ccache: 1}%{?!_with_ccache: 0} -BuildRequires: ccache +BuildRequires: ccache %endif -ExcludeArch: s390 s390x %{arm} -Obsoletes: %{name} <= %{evr} +ExcludeArch: s390 s390x %{arm} +Obsoletes: %{name} <= %{evr} %if 0%{with_legacy_arch} -Requires: %{name}-%{legacy_package_arch} = %{evr} +Requires: %{name}-%{legacy_package_arch} = %{evr} %else -Requires: %{name}-%{package_arch} = %{evr} +Requires: %{name}-%{package_arch} = %{evr} %endif %global desc \ @@ -92,21 +91,21 @@ hardware devices.\ %{desc} %package common -Summary: grub2 common layout -Group: System Environment/Base -BuildArch: noarch -Conflicts: grubby < 8.40-13 +Summary: grub2 common layout +Group: System Environment/Base +BuildArch: noarch +Conflicts: grubby < 8.40-13 %description common This package provides some directories which are required by various grub2 subpackages. %package tools -Summary: Support tools for GRUB. -Group: System Environment/Base -Obsoletes: %{name}-tools < %{evr} -Requires: %{name}-common = %{epoch}:%{version}-%{release} -Requires: gettext os-prober which file +Summary: Support tools for GRUB. +Group: System Environment/Base +Obsoletes: %{name}-tools < %{evr} +Requires: %{name}-common = %{epoch}:%{version}-%{release} +Requires: gettext os-prober which file Requires(pre): dracut Requires(post): dracut @@ -116,11 +115,11 @@ This subpackage provides tools for support of all platforms. %ifarch x86_64 loongarch64 %package tools-efi -Summary: Support tools for GRUB. -Group: System Environment/Base -Requires: gettext os-prober which file -Requires: %{name}-common = %{epoch}:%{version}-%{release} -Obsoletes: %{name}-tools < %{evr} +Summary: Support tools for GRUB. +Group: System Environment/Base +Requires: gettext os-prober which file +Requires: %{name}-common = %{epoch}:%{version}-%{release} +Obsoletes: %{name}-tools < %{evr} %description tools-efi %{desc} @@ -128,23 +127,23 @@ This subpackage provides tools for support of EFI platforms. %endif %package tools-minimal -Summary: Support tools for GRUB. -Group: System Environment/Base -Requires: gettext -Requires: %{name}-common = %{epoch}:%{version}-%{release} -Obsoletes: %{name}-tools < %{evr} +Summary: Support tools for GRUB. +Group: System Environment/Base +Requires: gettext +Requires: %{name}-common = %{epoch}:%{version}-%{release} +Obsoletes: %{name}-tools < %{evr} %description tools-minimal %{desc} This subpackage provides tools for support of all platforms. %package tools-extra -Summary: Support tools for GRUB. -Group: System Environment/Base -Requires: gettext os-prober which file -Requires: %{name}-tools-minimal = %{epoch}:%{version}-%{release} -Requires: %{name}-common = %{epoch}:%{version}-%{release} -Obsoletes: %{name}-tools < %{evr} +Summary: Support tools for GRUB. +Group: System Environment/Base +Requires: gettext os-prober which file +Requires: %{name}-tools-minimal = %{epoch}:%{version}-%{release} +Requires: %{name}-common = %{epoch}:%{version}-%{release} +Obsoletes: %{name}-tools < %{evr} %description tools-extra %{desc} @@ -191,10 +190,10 @@ git commit -m "After making subdirs" %build %if 0%{with_efi_arch} -%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}} +%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}} %endif %if 0%{with_alt_efi_arch} -%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}} +%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}} %endif %if 0%{with_legacy_arch} %{expand:%do_legacy_build %%{grublegacyarch}} @@ -318,6 +317,19 @@ if [ "$1" = 2 ]; then /sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || : fi +%posttrans common +set -eu + +GRUB_HOME=/boot/%{name} + +if test -f ${GRUB_HOME}/grub.cfg; then + # make sure GRUB_HOME/grub.cfg has 600 permissions + GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg) + if ! test "${GRUB_CFG_MODE}" = "600"; then + chmod 0600 ${GRUB_HOME}/grub.cfg + fi +fi + %triggerun -- grub2 < 1:1.99-4 # grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades # from the affected grub2 packages, we first back up the files in triggerun and @@ -518,13 +530,7 @@ fi %endif %changelog -* Fri Jun 07 2024 Kai Song - 2.02-150.0.2 -- Fix CVE-2024-1048,CVE-2023-4692,CVE-2023-4693 -- util: Regenerate kernelopts if missing on ppc -- kern/ieee1275/init: ppc64: Restrict high memory in presence of fadump -- util: Enable default kernel for updates - -* Mon Dec 18 2023 Bo Ren - 2.02-150.0.1 +* Tue Nov 12 2024 Bo Ren - 2.02-158.0.1 - Build pc-modules package on x86_64 (geliwei@openanolis.org) - Add loongarch64 base support (zhangwenlong@loongson.cn)(chenguoqi@loongson.cn) - Fix a bug in bls_make_list, blscfg. (zhonglingh@linux.alibaba.com) @@ -532,7 +538,41 @@ fi - Add LoongArch64 support(yangqiming@loongson.cn) - LoongArch64 support fdt and phy-addr BIOS(yangqiming@loongson.cn) - Remove dtb dir with correct argument (Liwei Ge) -- Remove unneeded buildrequires (Zhao Hang) + +* Thu Sep 19 2024 Leo Sandoval - 2.02-158 +- grub-mkconfig.in: turn off executable owner bit +- Resolves: #RHEL-58835 + +* Wed Aug 14 2024 Leo Sandoval - 2.02-157 +- 20-grub-install: fix SELinux security type context for BLS +- Resolves: #RHEL-4395 + +* Tue Feb 20 2024 Nicolas Frayer - 2.02-156 +- fs/ntfs: OOB write fix +- (CVE-2023-4692) +- Resolves: #RHEL-11566 + +* Thu Feb 8 2024 Nicolas Frayer - 2.06-155 +- grub-set-bootflag: Fix for CVE-2024-1048 +- (CVE-2024-1048) +- Resolves: #RHEL-20746 + +* Mon Nov 27 2023 Nicolas Frayer - 2.02-154 +- Missing install script for previous commit +- Related: #RHEL-4343 + +* Fri Nov 24 2023 Nicolas Frayer - 2.02-153 +- util: Enable default kernel for updates +- Resolves: #RHEL-4343 + +* Fri Oct 20 2023 Nicolas Frayer - 2.02-152 +- kern/ieee1275/init: ppc64: Restrict high memory in presence + of fadump +- Resolves: #RHEL-14283 + +* Mon Aug 28 2023 Nicolas Frayer - 2.02-151 +- util: Regenerate kernelopts if missing on ppc +- Resolves: #2051889 * Fri Jun 16 2023 Nicolas Frayer - 2.02-150 - kern/ieee1275/init: sync vec5 patchset with upstream